Re: libarchive update SVN r299529 breaks "ezjail update"

From: Tim Kientzle <tim_at_kientzle.com>
Date: Sat, 14 May 2016 12:17:48 -0700
Many people consider the traditional behavior to be a security risk, which is why this was changed.

FreeBSD is welcome to make --insecure the default on FreeBSD, but I'm reluctant to do that in the upstream libarchive project.

Tim


> On May 12, 2016, at 8:54 AM, Martin Matuska <mm_at_freebsd.org> wrote:
> 
> Looks like we have to remove line #174 from cpio/cpio.c:
> cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
> 
> This breaks traditional cpio behavior.
> 
> Quoting Martin Matuska <mm_at_freebsd.org>:
> 
>> Hi Michael, I have looked at the source and this is an intended change in 3.2.0.
>> 
>> An absolute path security check was added, cpio refuses to extract or copy over absolute paths. To do this anyway the "--insecure" flag must be used.
>> 
>> Here is the commit:
>> https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526
>> 
>> Quoting Michael Butler <imb_at_protected-networks.net>:
>> 
>>> It seems that today's libarchive update breaks cpio's behaviour:
>>> 
>>> sudo ezjail-admin update -i -s /usr/src
>>> 
>>> [ .. ]
>>> 
>>> cd /usr/src/etc/..; install -o root -g wheel -m 444  COPYRIGHT
>>> /usr/local/jails/fulljail/
>>> install -o root -g wheel -m 444
>>> /usr/src/etc/../sys/i386/conf/GENERIC.hints
>>> /usr/local/jails/fulljail/boot/device.hints
>>> /usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1
>>> 
>>> /usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute:
>>> Unknown error: -1
>>> 
>>> /usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is
>>> absolute: Unknown error: -1
>>> 
>>> /usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute:
>>> Unknown error: -1
>>> 
>>> /usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute:
>>> Unknown error: -1
>>> 
>>> /usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown
>>> error: -1
>>> 
>>> /usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute:
>>> Unknown error: -1
>>> 
>>> /usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown
>>> error: -1
>>> 
>>> /usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown
>>> error: -1
>>> 
>>> /usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is
>>> absolute: Unknown error: -1
>>> [ .. etc. .. ]
>> 
>> 
>> 
>> Martin Matuska
>> FreeBSD committer
>> http://blog.vx.sk
> 
> 
> 
> Martin Matuska
> FreeBSD committer
> http://blog.vx.sk
Received on Sat May 14 2016 - 17:47:56 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:04 UTC